In Bionic linker, the soinfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.

Hence, an injected application can easily find all loaded libraries.

The following cases are considered as injections:

1. some soinfo object has empty pathname;
2. the linked list of all soinfo has gaps between elements, and such gap appears before specializeAppProcess.

See blog Android 用户态注入隐藏已死.

A call to dlclose will increase the counter g_module_unload_counter.

This detection highly depends on Android OS and vendor customization, which is shown to be false positive on Samsung and OnePlus.

• Zygisk of Magisk
• ZygiskNext
• ReZygisk (fixed by JingMatrix in PerformanC/ReZygisk#101)